System for secure erasing of files

ABSTRACT

The present invention is directed to a system and method for the secure and correct deletion of data files from a data storage that bypasses the file system of an operating system. A secure erase service receives a secure erase request from a system interceptor component, which has intercepted a system call from an application. The system call interceptor component communicates with the secure erase service via an interprocess communication module. The secure erase service receives the secure erase request from the interprocess communication module and communicates the secure erase request to a secure erase library. Using the file information contained in the secure erase request, the secure erase library queries the file system of the data storage device to determine the location of data blocks containing the to be deleted data. Once, the location of the data blocks has been determined, the secure erase library then instructs the device driver, via a virtual file system, to overwrite the data blocks storing the electronic file a predetermined number of times.

BACKGROUND

This invention teaches a system and method for the secure deletion offiles on a hard drive. More particularly, this invention is directed toa system and method for securely erasing data files while bypassing thefile system of the operating system.

Data security and protection are major issues in the presentsocio-economic environment. Businesses and individuals need to maintaintheir privacy in an ever increasing information-based society. Suchprivacy typically extends to the personal and proprietary files storedon non-volatile storage media, such as computer hard drives. Mostoperating systems fail to delete a file from the hard drive wheninstructed to do so by an application or a user. Instead, operatingsystems remove the link, or address, of the file, while the contents ofthe electronic data file remain in blocks on the non-volatile storagemedia. The data remains on the storage media until that area of themedia is required for storing some other file. The blocks are only thenoverwritten with the new data. Until such overwriting, a skilledcomputer expert can retrieve the deleted data from the non-volatilestorage media. Previous attempts have been made to overwrite, orsecurely delete, the data blocks in the past.

In some operating systems, such as Windows® by Microsoft Corporation,the overwriting tasks are easier than in others, such as Linux, anopen-source operating system freely available and widely used.Third-party vendors offer a variety of secure delete applications forthe Windows® operating system. Linux, in contrast has relatively fewsuch utilities available. Those utilities that are available haveseveral problems. For example, the utilities typically rely on theunderlying file system to write to the non-volatile storage media,resulting in errors in the overwriting of the original data blocks Inaddition, the utilities require distinct user interaction, i.e., theycannot be initiated automatically by an application. Additionally,operating systems such as the Linux operating system will typicallyallocate time slices for overwrite operations. Thus, the overwriteoperations may be deferred while other tasks are being executed. In anextreme case, application termination or hardware failure may result inan abort of an overwrite procedure, resulting in data still beingrecoverable.

Thus there is a need for a system and method to securely and correctlyerase data files from a data storage that bypasses the file system.

SUMMARY OF THE INVENTION

In accordance with the present invention, there is provided a system andmethod for the secure deletion of electronic files.

Further, in accordance with the present invention, there is provided asystem and method for securely erasing electronic files from a datastorage device.

Further, in accordance with the present invention, there is provided asystem and method for securely erasing data files from a data storagewhile bypassing the file system of an operating system.

Still further, in accordance with the present invention, there isprovided a system for the secure erasing of data files while bypassingthe file system of an operating system. The system includes meansadapted to receive a secure erase signal representative of a desirederasure of a selected electronic file stored in a non-volatile memoryand means adapted to communicate data to an associated data storage. Thedata storage includes means adapted to store data in a selectedplurality of data storage segments, means adapted to receive data forstorage in the data storage segments, file system means, means adaptedto receive a tracking data query representative of tracking dataassociated with the selected electronic file, and means adapted tooutput tracking data associated with the selected electronic file inaccordance with the received tracking data query. The file system meansincludes means for storing tracking data representative of at least onedata storage segment which is used to store data associated with each ofa plurality of data records. The system further includes means adaptedto communicate a tracking data query to the data storage in accordancewith a received, secure erase signal, means adapted to receive trackingdata representative of each data segment from the file system means, andsecure erase initiation means adapted for initiating a high-prioritydata write operation of selected overwrite data to each data storagesegment associated with the selected electronic file.

In a preferred embodiment, the system also includes means adapted toreceive the secure erase signal as an intercept of a system erase callto an associated operating system, means for obtaining program controlfrom an associated, calling process upon receipt of the secure erasesignal, and means for releasing program control after completion of ahigh-priority data write operation initiated by the secure eraseinitiation means.

Preferably, the associated data storage is a non-volatile memory, amagnetic data storage medium, or a hard disk drive. In a more preferredembodiment, the associated operating system is Linux and the trackingdata is contained in a Linux virtual file system.

Still further, in accordance with the present invention, there isprovided a method for securing erasing of data files while bypassing thefile system. A secure erase signal, representing a desired erasure of aselected electronic file stored in a non-volatile memory, is received.The method then communicates data to an associated data storage, whichis received by the data storage and stored the data in a selectedplurality of data storage segments. Tracking data, representing at leastone data storage segment, is stored using a file system, which storesdata associated with the selected electronic data file. The trackingdata associated with the selected electronic data file is then outputaccording to a received tracking data query. The tracking data query iscommunicated to the data storage according to the received secure erasesignal. The tracking data representing each data segment from the filesystem is received and a high-priority data write operation of selectedoverwrite data to each data storage segment associated with the selectedelectronic file is initiated.

In a preferred embodiment, the method also includes the steps ofreceiving the secure erase signal as an intercept of a system erase callto an associated operating system, obtaining program control from anassociated calling process upon receipt of the secure erase signal, andreleasing program control after completion of a high-priority data writeoperation initiated by the secure erase initiation means.

Preferably, the associated data storage is non-volatile memory, amagnetic storage medium, or a hard disk drive. In a more preferredembodiment, the associated operating system is Linux and the trackingdata is contained in a Linux virtual file system.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject invention is described with reference to certain parts, andarrangements to parts, which are evidenced in conjunction with theassociated drawings, which form a part hereof and not, for the purposesof limiting the same in which:

FIG. 1 is a block diagram illustrative of the system of the presentinvention;

FIG. 2 is a flowchart illustrating the application direct secure eraseprocess according to the present invention; and

FIG. 3 is a flowchart illustrating the secure erase process using thesystem integrator component according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

This invention is directed to a system and method for securely erasingelectronic files from a data storage device. More particularly, thisinvention provides a system and method for securely erasing data filesfrom a data storage while bypassing the file system an operating system.The system and method enable the secure deletion of electronic filesfrom an associated data storage directly from an application and from asystem interceptor component, while bypassing the file system.

FIG. 1 illustrates a block diagram preferred embodiment of the systemaccording to the present invention generally designated as 100. As shownin FIG. 1, the system 100 includes a Linux-based device 102, such as apersonal computer, a server, a printer-controller, an image-generatingdevice, a multifunction peripheral device and the like. As will beunderstood by those skilled in the art, Linux refers to an operatingsystem that is an implementation of the Unix kernel containing noproprietary code. While the preferred embodiment is directed to a Linuxoperating system environment, it will be appreciated by one of ordinaryskill in the art that the subject teachings are suitably applied in anyoperating system having the shortcomings noted above. Resident on theLinux-based device 102 is an application 104, or other complete,self-contained program that performs a specific function directly for auser. In the preferred embodiment, the application 104 resides on theLinux-based device 102. The skilled artisan will appreciate that theapplication 104 is, for example, and without limitation, aword-processing program, a spreadsheet editor, and a text formatter. Ina preferred embodiment, the application 104 receives user input via agraphical user-interface.

The system 100 also includes a secure erase service 106, equipped tocommunicate with the application 104 directly, or indirectly via asystem call interceptor component 108. The secure erase service 106 isin data communication with a secure erase library 110, located on anassociated data storage device 112. The secure erase library maintainstracking data on the location of the data blocks that store anelectronic data file. As will be appreciated by those skilled in theart, the data storage device 112 is capable of being implemented as thehard drive component of the Linux-based device 102, or another form ofmagnetic, optical or other non-volatile memory associated with theLinux-based device 102. When the application 104 is capable of directlycommunicating with the secure erase service 106, i.e., the applicationhas administrative authority on the Linux-based device 102, there is noneed to issue a system call 114.

The application 104 issues a secure erase request directly to the secureerase service 106. The secure erase service 106 processes the requestand communicates the request to the secure erase library 110 todetermine the data blocks on the data storage device 112 containing thedata to be deleted. The secure erase library 110 queries the file system118 of the data storage device 112 to determine the location of datablocks containing the selected data. Once, the location of the datablocks has been determined, the secure erase library 110 then instructsthe device driver 120 of the data storage device 112 to overwrite thosedata blocks containing the to be deleted data a predetermined number oftimes.

Indirect data communication between the application 104 and the secureerase service 106 is accomplished using the system call 114. As will beunderstood by those skilled in the art, the system call 114 is anymechanism, known in the art, used by an application program to requestservice from an operating system. The skilled artisan will appreciatethat use of the system call 114 in the present invention enables a user,lacking administrative or supervisory authority, to cause the processorto change operating modes to a supervisor mode, thereby allowing theoperating system to perform restricted actions, i.e., accessing hardwaredevices or a memory management unit.

When the application 104 initiates a system call 114 to erase anelectronic data file stored on the associated data storage device 112,the system call 114 is intercepted by the system call interceptorcomponent 108. The system call interceptor component 108 thencommunicates with the secure erase service 106 via an interprocesscommunication module 116. The interprocess communication module 116 ofthe present invention is an interprocess communication mechanism knownin the art capable of facilitating the exchange of data between oneprocess and another, either within the same computer, as shown in FIG.1, or over a network, such as the Linux-based device 102 and an externalLinux-based peripheral device (not shown).

The secure erase service 106 receives the secure erase request from theinterprocess communication module 116 and communicates the secure eraserequest to the secure erase library 110. Using the file informationcontained in the secure erase request, the secure erase library 110queries the file system 118 of the data storage device 112 to determinethe location of data blocks containing the to be deleted data. Once, thelocation of the data blocks has been determined, the secure eraselibrary 110 then instructs the device driver 120 of the data storagedevice 112 to overwrite the data blocks storing the electronic file apredetermined number of times.

Turning now to FIG. 2, there is shown a flowchart illustrating thedirect initiation of a secure delete operation by the application 104having supervisory authority. Beginning at step 202, the user selects afile stored in the data storage device for secure erase using a callerapplication. At step 204, the application transmits a file erase requestto the secure erase service to erase the file selected at step 202 fromthe data storage device. The file erase request prompts the secure eraseservice to call the secure erase library at step 206. The secure eraselibrary maintains data indicating the location of the electronic file tobe erased. At step 208, the secure erase library retrieves the locationdata for each data segment, or data block, corresponding to the selectedfile, from the file system. A high-priority data write operation isinitiated at step 210 to overwrite each data segment identified by thesecure erase library as containing data corresponding to the selectedfile.

The selected file is then overwritten using the device driver of thestorage device at step 212. The subject invention enables the bypassingof the file system by communicating with the device driver using avirtual file system. Thus, the system provides a controllable andprioritized mechanism to accomplish data overwriting. As will beunderstood by those skilled in the art, the virtual file system allowsdirect access to the device driver via open/read/write with, forexample, /dev/hdx as a file name. In addition, the bypassing of the filesystem through the device driver enables the immediate overwrite of theselected file, instead of waiting for the file system to optimize bybuffer and schedule the read/write operation. Furthermore, the skilledartisan will appreciate that the file system typically is optimized suchthat only the last of the predetermined number of rewrites occurs. Inaccordance with the subject invention, the use of the device driverallows the completion of the predetermined number of rewrites withoutthe file system interfering.

At step 214, a determination is made that the overwriting is notcomplete, i.e., that the predetermined number of overwrites has notoccurred. In such an event, the system returns to step 212 to overwritethe selected file using the device driver. When the overwriting of theselected file is determined to be complete at step 214, the systemproceeds to determine, at step 216, that the secure erase service hasreceived an additional secure erase request from the caller application.When the secure erase service has received an additional erase request,the system returns to step 206, wherein the secure erase library iscalled. When there are no additional secure erase requests at step 216,the system returns control to the caller application at step 218.

Referring now to FIG. 3, there is shown a flowchart illustrating theautomatic, or programmatic, secure deletion of a selected electronicfile. Beginning at step 302, a user selects a file for deletion via acaller application. It will be understood by those skilled in the artthat the user is merely selecting a file for deletion, not necessarilyrequiring the secure deletion of a file. The subject invention enables asystem administrator to designate certain applications thatautomatically securely delete files, while other applications use thegeneral file erase procedure. The application then submits a system callto delete the selected file at step 304. The skilled artisan willappreciate that the delete request of the system call, in the Linuxoperating system, is implemented as an unlink request transmitted fromthe kernel module. Unlink is an API used in the Linux operating systemto request removal of any symbolic link to a file. unlink guaranteesthat the space taken up by a file cannot be freed until all the hardlinks, e.g., pathnames for the same file within the same file system,have been removed.

The system call submitted at step 304 is then intercepted by a systeminterceptor component at step 306. The skilled artisan will appreciatethat due to the user being unaware of the secure deletion of theselected file, the system employs the interceptor to retrieve the user'sselection for secure erasure. The system interceptor component thentransmits a secure erase request, corresponding to the system call, tothe secure erase service at step 308. At step 310, the secure eraseservice generates a hard link reference to the selected file. As will beunderstood by those skilled in the art, the hard link referencegenerated by the secure erase service is a directory entry that relatesa pathname to an inode, which contains all the information about thefile, within the same file system.

The hard link representing the file of the secure erase request isentered into a secure erase queue at step 312. The secure erase requestsare then retrieved from the queue on a one-at-a-time basis at step 314.That is, the secure erase service retrieves the hard link, or pathname,of the file to be securely erased. Location data for each data segment,or block, of the selected file is then retrieved from the file systemusing the hard link at step 316. Advantageously, an application programinterface within the secure erase library is used to securely erase theselected file by using the hard link to locate the data segments and thedevice driver to overwrite the data segments. An immediate, orhigh-priority, data write operation is then initiated at step 318 tooverwrite each data segment a predetermined number of times. As will beunderstood by those skilled in the art, the overwrite operation issuitably accomplished using the virtual file system, enabling the devicedrivers to overwrite the data blocks and bypass the file system used onthe storage device.

Upon completion of the high-priority data write operation at step 318, aresponse is transmitted to the system interceptor component at step 320to inform the component that the overwrite has occurred. The systeminterceptor component then recalls the system unlink request, i.e., theoriginal delete request from the user, to remove the original file. Adetermination is made at step 324 that no additional hard link itemsremain in the queue. Upon such a determination, control is returned tothe caller application at step 326. When the determination made at step324 indicates that other hard link items remain in the queue, the systemreturns to step 314, wherein the next hard link item is retrieved fromthe queue and proceeds through the remaining steps. The process repeatsfor each individual item in the queue until the queue is empty andcontrol is returned to the caller application at step 326.

The invention extends to computer programs in the form of source code,object code, code intermediate sources and object code (such as in apartially compiled form), or in any other form suitable for use in theimplementation of the invention. Computer programs are suitablystandalone applications, software components, scripts or plug-ins toother applications. Computer programs embedding the invention areadvantageously embodied on a carrier, being any entity or device capableof carrying the computer program: for example, a storage medium such asROM or RAM, optical recording media such as CD-ROM or magnetic recordingmedia such as floppy discs. The carrier is any transmissible carriersuch as an electrical or optical signal conveyed by electrical oroptical cable, or by radio or other means. Computer programs aresuitably downloaded across the Internet from a server. Computer programsare also capable of being embedded in an integrated circuit. Any and allsuch embodiments containing code that will cause a computer to performsubstantially the invention principles as described, will fall withinthe scope of the invention.

The foregoing description of a preferred embodiment of the invention hasbeen presented for purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed. Obvious modifications or variations are possible in light ofthe above teachings. The embodiment was chosen and described to providethe best illustration of the principles of the invention and itspractical application to thereby enable one of ordinary skill in the artto use the invention in various embodiments and with variousmodifications as are suited to the particular use contemplated. All suchmodifications and variations are within the scope of the invention asdetermined by the appended claims when interpreted in accordance withthe breadth to which they are fairly, legally and equitably entitled.

1. A system for secure erasing of data files while bypassing the filesystem of an operating system comprising: means adapted to receive asecure erase signal representative of a desired erasure of a selectedelectronic file stored in a non-volatile memory; means adapted tocommunicate data to an associated data storage, the data storageincluding, means adapted to store data in a selected plurality of datastorage segments, means adapted to receive data for storage in the datastorage segments, file system means, the file system means includingmeans for storing tracking data representative of at least one datastorage segment which is used to store data associated with each of aplurality of data records, means adapted to receive a tracking dataquery representative of tracking data associated with the selectedelectronic file, and means adapted to output tracking data associatedwith the selected electronic file in accordance with the receivedtracking data query; means adapted to communicate a tracking data queryto the data storage in accordance with a received, secure erase signal;means adapted to receive tracking data representative of each datasegment from the file system means; and secure erase initiation meansadapted for initiating a high-priority data write operation of selectedoverwrite data to each data storage segment associated with the selectedelectronic file.
 2. The system for secure erasing of data files whilebypassing the file system of claim 1 wherein the associated data storageis comprised of a non-volatile memory.
 3. The system for secure erasingof data files while bypassing the file system of claim 2 wherein theassociated data storage is further comprised of a magnetic data storagemedium.
 4. The system for secure erasing of data files while bypassingthe file system of claim 3 wherein the associated data storage isfurther comprised of a hard disk.
 5. The system for secure erasing ofdata files while bypassing the file system of claim 4, furthercomprising: means adapted to receive the secure erase signal as anintercept of a system erase call to an associated operating system;means for obtaining program control from an associated, calling processupon receipt of the secure erase signal; and means for releasing programcontrol after completion of the high-priority data write operationinitiated by the secure erase initiation means.
 6. The system for secureerasing of data files while bypassing the file system of claim 5 whereinthe associated operating system is Linux, and wherein the tracking datais contained in a Linux virtual file system.
 7. A method for securingerasing of data files while bypassing the file system, comprising thesteps of: receiving a secure erase signal representative of a desirederasure of a selected electronic file stored in a non-volatile memory;communicating data to an associated data storage, storing in theassociated data storage data in a selected plurality of data storagesegments, receiving data for storage in the data storage segments,storing, via a file system, tracking data representative of at least onedata storage segment which is used to store data associated with theselected electronic file, and outputting tracking data associated withthe selected electronic file in accordance with a received tracking dataquery; communicating a tracking data query to the data storage inaccordance with the received secure erase signal; receiving trackingdata representative of each data segment from the file system; andinitiating a high-priority data write operation of selected overwritedata to each data storage segment associated with the selectedelectronic file.
 8. The method for secure erasing of data files whilebypassing the file system of claim 7 wherein the associated data storageis comprised of a non-volatile memory.
 9. The method for secure erasingof data files while bypassing the file system of claim 8 wherein theassociated data storage is further comprised of a magnetic data storagemedium.
 10. The method for secure erasing of data files while bypassingthe file system of claim 9 wherein the associated data storage isfurther comprised of a hard disk.
 11. The method for secure erasing ofdata files while bypassing the file system of claim 10, furthercomprising the steps of: receiving the secure erase signal as anintercept of a system erase call to an associated operating system;obtaining program control from an associated calling process uponreceipt of the secure erase signal; and releasing program control aftercompletion of the high-priority data write operation.
 12. The method forsecure erasing of data files while bypassing the file system on anoperating system of claim 11 wherein the associated operating system isLinux, and wherein the tracking data is contained in a Linux virtualfile system.
 13. A computer-readable medium of instructions withcomputer-readable instructions stored thereon for securing erasing ofdata files while bypassing the file system comprising: instructions forreceiving a secure erase signal representative of a desired erasure of aselected electronic file stored in a non-volatile memory; instructionsfor communicating data to an associated data storage, instructions forstoring in the associated data storage data in a selected plurality ofdata storage segments, instructions for receiving data for storage inthe data storage segments, instructions for storing, via a file system,tracking data representative of at least one data storage segment whichis used to store data associated with the selected electronic file, andinstructions for outputting tracking data associated with the selectedelectronic file in accordance with a received tracking data query;instructions for communicating a tracking data query to the data storagein accordance with the received secure erase signal; instructions forreceiving tracking data representative of each data segment from thefile system; and instructions for initiating a high-priority data writeoperation of selected overwrite data to each data storage segmentassociated with the selected electronic file.
 14. The computer-readablemedium of instructions with computer-readable instructions storedthereon for secure erasing of data files while bypassing the file systemof claim 13 wherein the associated data storage is comprised of anon-volatile memory.
 15. The computer-readable medium of instructionswith computer-readable instructions stored thereon for secure erasing ofdata files while bypassing the file system of claim 14 wherein theassociated data storage is further comprised of a magnetic data storagemedium.
 16. The computer-readable medium of instructions withcomputer-readable instructions stored thereon for secure erasing of datafiles while bypassing the file system of claim 15 wherein the associateddata storage is further comprised of a hard disk.
 17. Thecomputer-readable medium of instructions with computer-readableinstructions stored thereon for secure erasing of data files whilebypassing the file system of claim 16, further comprising: instructionsfor receiving the secure erase signal as an intercept of a system erasecall to an associated operating system; instructions for obtainingprogram control from an associated calling process upon receipt of thesecure erase signal; and instructions for releasing program controlafter completion of the high-priority data write operation.
 18. Thecomputer-readable medium of instructions with computer-readableinstructions stored thereon for secure erasing of data files whilebypassing the file system of claim 17 wherein the associated operatingsystem is Linux, and wherein the tracking data is contained in a Linuxvirtual file system.
 19. A computer-implemented method for securingerasing of data files while bypassing the file system, comprising thesteps of: receiving a secure erase signal representative of a desirederasure of a selected electronic file stored in a non-volatile memory;communicating data to an associated data storage, storing in theassociated data storage data in a selected plurality of data storagesegments, receiving data for storage in the data storage segments,storing, via a file system, tracking data representative of at least onedata storage segment which is used to store data associated with theselected electronic file, and outputting tracking data associated withthe selected electronic file in accordance with a received tracking dataquery; communicating a tracking data query to the data storage inaccordance with the received secure erase signal; receiving trackingdata representative of each data segment from the file system; andinitiating a high-priority data write operation of selected overwritedata to each data storage segment associated with the selectedelectronic file.
 20. The computer-implemented method for secure erasingof data files while bypassing the file system of claim 19 wherein theassociated data storage is comprised of a non-volatile memory.
 21. Thecomputer-implemented method for secure erasing of data files whilebypassing the file system of claim 20 wherein the associated datastorage is further comprised of a magnetic data storage medium.
 22. Thecomputer-implemented method for secure erasing of data files whilebypassing the file system of claim 21 wherein the associated datastorage is further comprised of a hard disk.
 23. Thecomputer-implemented method for secure erasing of data files whilebypassing the file system of claim 22, further comprising the steps of:receiving the secure erase signal as an intercept of a system erase callto an associated operating system; obtaining program control from anassociated calling process upon receipt of the secure erase signal; andreleasing program control after completion of the high-priority datawrite operation.
 24. The computer-implemented method for secure erasingof data files while bypassing the file system of claim 23 wherein theassociated operating system is Linux, and wherein the tracking data iscontained in a Linux virtual file system.